Is it possible to install antivirus package to the server which in turn protects all the pc's on the domain, this might seem a little far-fetched but then this would reduce the processing power on the client computers (which are part of the domain) and also would help to reduce licensing costs.

Could there also exist a concept of an antivirus server? amm.. just thinking out loud here, please do correct me if I'm wrong. If such solutions exist I would be highly interested in implementing the same.

5 Answers
5

Anti virus can be deployed at the edge of the network on a firewall. This would scan email, web traffic, etc. This is a very good first defense effort and most security minded organizations have some sort of filtering going on at this level. It fails to meet all possible threats though. Flash drives are a very common method of transferring viruses. There is no way a firewall can scan the flash drives without software on the clients.

With that in mind, there's no way anything can scan flash drives or optical drives without a client software package being installed. Scanning local files on the hard drive would be horribly cumbersome on the network. The second level of defense is to install a server based anti-virus. Packages like Symantec Endpoint Protection Manager and Trend Micro Worry Free Business Security are examples of these. Both of these software packages install a large management console on the server. Client packages are then created and deployed from the server to the clients. These packages are smaller than most consumer A/V products I've seen, so they do help out on system resources. As far as licensing costs are concerned, you'll generally pay more for one of these systems than standalone av (unless you're licensing large quantities). This extra cost is worth it for the ease of management and reporting, control of updates, and smaller client package.

I've never seen anything like this and it sounds like a terrible idea because of the latency of constantly sending every piece of data to the server; waiting for the server to process it; sending it back to the client; lots and lots of latency...

That sort of thing is not possible due to how the anti-virus system has to work. This is summarized some some extent, but the concepts are there.

For on-access scanning, which is by far the most common type of scanning activity an AV package does:

A program attempts to open a file. It does this by using Windows API calls.

The Anti-Virus program has hooks into the API calls and is executed instead.

The AV program scans the file for viruses.

If the Av program finds none, it allows the program to open the file.

Because this "gets in the way" of running a system on naked disks, AV programs necessarily introduce some lag in accessing files. Users notice this. Because of this, the scanning engine has to be as close to the user as it possibly can be, and that means locally. If step 3 there involved copying the file over the network to the Scanning Server before it is released, the lag would be very, very, significant.

Also, modern AV packages also do things like scanning running memory for viruses, which is something a remote server simply couldn't do without a lot more Windows API hooks than currently exist. At minimum an agent would have to be installed, and protection still wouldn't be that good.

The key concept (at least to me) is that malware is composed of some type of process. It may be an actual exe, or a script, or an infected DLL, etc. As such it runs in a local context... on the machine where it exists. There are some types of malware that may propagate themselves over a network and spawn their process(es) on remote machines but they still run in a local context. At the end of the day the malware needs a "host" in order to do it's damage.

I'm not aware of any AV software that can monitor remote executables\processes and stop them from running. That's the job of a locally installed AV program that can monitor processes, files, etc.

You can find many AV programs that have server based management components for the purpose of centrally managing the AV clients.

<Edit> If you are looking for a free/open-source Windows AV solution, that project is called ClamAV. I do not have any basis for a personal recommendation, as I have never used it. Let us know how it goes. </Edit>

Answers to your questions:

Sure, but only if your server is a terminal server and your clients are thin clients that are not themselves malware-prone. If you are building an environment from scratch, you might want to consider the pros/cons of this type of a solution before buying workstation PCs. If you already have Windows desktops, there is no way around the fact that they need malware protection.

Yes, but an "anti-virus server" merely provides a central point for administration and reporting. It simplifies administration of endpoint anti-virus software on workstations, but it does not replace it. Most enterprise AV software packages include anti-virus server software.

Two unsolicited tips for buying Windows anti-virus software:

Be sure to get a quote for CA anti-virus, but don't even think of buying it (it's nearly useless). If you have hundreds of computers at your site, the CA product will cost you less than $10 per seat per year. This will give you leverage to negotiate with other AV software vendors, and they will be inclined to match CA's per-seat-per-year price if you sign up for a multi-year agreement.

Before you spend any money on a particular AV product, be sure to evaluate it in your actual environment. Lots of AV vendors will give you free 30-day evaluation licenses, and some (e.g. ESET) may even give you a 90-day enterprise evaluation. Some products (e.g. Symantec Endpoint Protection) will dramatically increase CPU utilization on busy servers, even when exclusions are configured correctly, and this sort of thing can be a deal breaker depending on the devilish details.

I know this will be a little cheap to ask but i'm building this network from scratch for a non-profit charitable organization and hence the budget is a problem any low cost solutions available or maybe free or open source?
–
ReubenAug 12 '10 at 3:14

1

If you are building a network from scratch for a non-profit charitable organization, you have a tremendous opportunity. You could use Linux (Ubuntu or OpenSuSE would be good choices) to avoid Windows licensing costs. Consider using Userful to share each PC between 2 or more users, reducing upfront hardware costs and long-term power costs. OpenOffice is a great alternative to MS Office for non-profit orgs. And, as pertains to your original question: Linux isn't malware-prone. (Yes, I'm a Windows admin.)
–
SkyhawkAug 12 '10 at 4:11

sadly we have to go the windows way as there are many applications which would not run in a linux environment, and running them in an emulator is not convinient, luckily we have been donated our initial setup, but now buying additional software is not in the budget hence was looking for a free antivirus solution
–
ReubenAug 12 '10 at 17:37